Critical Vulnerabilities in PTC Products Patched
March 1, 2023
Two critical vulnerabilities in several industrial IoT (IIoT) software products made by PTC have been patched. Discovered by Chris Anastasio and Steven Seeley of Incite Team, the vulnerabilities, CVE-2023-0754 and CVE-2023-0755, can be exploited for denial-of-service (DoS) attacks and remote code execution. Affected products include ThingWorx Edge MicroServer (EMS) and .NET SDK, Kepware KEPServerEX, ThingWorx Kepware Server, ThingWorx Industrial Connectivity, and ThingWorx Kepware Edge.
The US Cybersecurity and Infrastructure Security Agency (CISA) informed organizations about the vulnerabilities in an advisory published on February 23. Proof-of-concept (PoC) exploits were also released by the researchers. While remote code execution is technically possible, an attacker would most likely achieve a DoS condition by exploiting these flaws. It is unclear if the vulnerabilities can be exploited directly from the internet. PTC has released updates that should address the vulnerabilities.
- Security Defects in TPM 2.0 Reference Library Expose Devices to Code Execution Attacks
- CISA Adds CVE-2022-36537 to Known Exploited Vulnerabilities Catalog
- Hackers Exploit Critical Vulnerabilities in Houzez Theme and Plugin
- RIG Exploit Kit Reaches All-Time High Success Rate
- Fortinet Clarifies Reports of CVE-2022-39952 Exploitation
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.